Google Workspace SMTP Relay (IP-Based) — Architecture, Configuration, EHLO / Envelope-From Errors & Fixes

📅 07 Feb 2026 📂 General 👁 2 views

This Knowledge Base article provides a technical deep dive into Google Workspace Gmail SMTP Relay (IP-based), covering:

SMTP Relay architecture and behavior
Correct configuration for application / portal email
Root-cause analysis of 5.7.1 Invalid credentials for relay errors
Correct usage of EHLO / HELO hostname and Envelope-From (MAIL FROM)
Security considerations and best practices

Target audience:

IT professionals
System administrators
Support and infrastructure engineers

2. Overview: Gmail SMTP Relay Service

What SMTP Relay Is

Gmail SMTP Relay allows servers and applications to send mail through Google’s infrastructure without authenticating as a mailbox user.

Why SMTP Relay Is Used

Avoids Gmail per-user sending limits
Designed for automated/system email
Uses infrastructure trust (IP + domain) instead of passwords

Supported Relay Modes

Relay Type	Authentication	Use Case
IP-based relay	Source IP	Servers, portals, ERP systems (recommended)
SMTP AUTH relay	Username + password	Legacy apps, shared hosting

3. Architecture & Message Flow (IP-Based Relay)


Application / Portal Server (Public IP: 203.0.113.10)
        |
        | SMTP (STARTTLS)
        | EHLO example.com
        | MAIL FROM:<mailer@example.com>
        v
smtp-relay.gmail.com
        |
        | Google validates:
        | - Source IP
        | - EHLO domain
        | - Envelope-From domain
        v
Gmail mail infrastructure
        |
        v
Recipient mail servers

4. Use Cases & Supported Environments

Typical Use Cases

Order confirmations
ERP / CRM notifications
Dealer or partner portals
Monitoring and alerting systems
Password reset and system emails

Supported Environments

Cloud VMs (Azure / AWS / GCP)
VPS with static outbound IP
On-premise servers with NAT

5. Step-by-Step: Enable IP-Based SMTP Relay

5.1 Prerequisites

Static outbound IP of sending server (example: 203.0.113.10)
Google Workspace admin access
DNS control for the domain

5.2 Configure SMTP Relay in Admin Console

Admin Console → Apps → Google Workspace → Gmail
Open Routing
Locate SMTP Relay Service
Add or edit a relay rule

Recommended Settings

Allowed senders: Only addresses in my domains
Authentication:
- ✔ Only accept mail from specified IP addresses
- ❌ Require SMTP Authentication
Allowed IP: 203.0.113.10
Encryption: Require TLS

Save and allow 5–10 minutes for activation.

6. Application / Portal SMTP Configuration

Required SMTP Parameters


SMTP Host        : smtp-relay.gmail.com
Port             : 587
Encryption       : STARTTLS
SMTP Auth        : OFF
Username         : (empty)
Password         : (empty)

Mandatory Identity Parameters

Parameter	Required Value
EHLO / HELO	example.com
Envelope-From (MAIL FROM)	mailer@example.com
From header	mailer@example.com
Sender header	mailer@example.com

These values must belong to a domain registered in Google Workspace.

7. EHLO / Envelope-From — Technical Explanation

EHLO / HELO

SMTP greeting hostname
Must match a Workspace domain
Invalid examples:
- localhost
- server hostname
- hosting provider name

Envelope-From (MAIL FROM)

SMTP-level sender identity
Used for SPF, DMARC, and bounce handling
Different from the visible “From” header

If either value is missing or mismatched, Google rejects the relay.

8. Common Errors, Root Causes & Fixes

Error


5.7.1 Invalid credentials for relay

Root Causes

EHLO hostname not matching Workspace domain
Empty or external Envelope-From
Application cannot control SMTP identity

Resolution

Set EHLO to example.com
Explicitly set MAIL FROM to mailer@example.com
Test from the actual application (not SMTP test tools)

Error


Relay access denied

Root Causes

Incorrect outbound IP
NAT or firewall rewriting source IP

Verification


curl ifconfig.me

Ensure output matches the IP registered in SMTP Relay.

9. DNS & Email Authentication Requirements

SPF (Required)

Minimal SPF for Google-only sending:


v=spf1 include:_spf.google.com ~all

DKIM

Enable in Admin Console → Gmail → Authenticate domain
Strongly recommended for all relay traffic

DMARC (Recommended)


v=DMARC1; p=quarantine; adkim=r; aspf=r; pct=100;

10. Security Considerations & Risks

Security Benefits

No stored user credentials
IP-restricted sending
Domain-level enforcement

Risks & Mitigation

Risk	Mitigation
IP misuse	Firewall + static IP
Spoofed domains	SPF + DKIM + DMARC
Misconfigured apps	Enforce EHLO and MAIL FROM

11. Best Practices & Recommendations

Prefer IP-based SMTP Relay
Avoid using human mailboxes for automation
Use a single, consistent sender identity
Monitor Email Log Search after changes
Keep SPF DNS lookups under 10
Avoid generic SMTP testing tools

12. When to Use SMTP AUTH Relay

Use SMTP AUTH relay only if:

No static outbound IP is available
Application cannot control EHLO / Envelope-From

Trade-off:

Easier configuration
Slightly reduced trust model

13. Conclusion

Google Workspace SMTP Relay is a domain- and infrastructure-trust system, not a user-authenticated SMTP service.
Successful implementation depends on correct IP authorization, EHLO identity, and Envelope-From alignment.

When configured correctly, SMTP Relay provides:

High deliverability
No per-user sending limits
Secure, scalable email for enterprise applications

#GoogleWorkspace #SMTPRelay #GmailRelay #EmailInfrastructure #ITAdmin #SysAdmin #SMTP587 #STARTTLS #EmailSecurity #SPF #DKIM #DMARC #OutboundRelay #AutomatedEmail #ServerEmail #ERPEmail #PortalEmail #SMTPConfig #MailServer #EmailTroubleshooting #EmailOps #MailRouting #SMTPGuide #GoogleAdmin #EnterpriseEmail #MailDelivery #EmailAuthentication #SMTPError #MailSecurity #Infrastructure #CloudEmail #EmailCompliance #MailArchitecture #SMTPRelayGuide #WorkspaceAdmin #EmailBestPractices #SystemEmail #NotificationEmail #OrderEmail #ITSupport #TechKB #MailOps #SMTPAuth #IPBasedRelay #GmailSMTP

google smtp relay google workspace smtp relay smtp-relay.gmail.com gmail smtp relay ip based google smtp relay invalid credentials 5.7.1 invalid credentials for relay smtp relay ehlo error smtp relay envelope from gmail relay access denied google

Google Workspace SMTP Relay (IP-Based) — Architecture, Configuration, EHLO / Envelope-From Errors & Fixes

2. Overview: Gmail SMTP Relay Service

What SMTP Relay Is

Why SMTP Relay Is Used

Supported Relay Modes

3. Architecture & Message Flow (IP-Based Relay)

4. Use Cases & Supported Environments

Typical Use Cases

Supported Environments

5. Step-by-Step: Enable IP-Based SMTP Relay

5.1 Prerequisites

5.2 Configure SMTP Relay in Admin Console

6. Application / Portal SMTP Configuration

Required SMTP Parameters

Mandatory Identity Parameters

7. EHLO / Envelope-From — Technical Explanation

EHLO / HELO

Envelope-From (MAIL FROM)

8. Common Errors, Root Causes & Fixes

Error

Error

9. DNS & Email Authentication Requirements

SPF (Required)

DKIM

DMARC (Recommended)

10. Security Considerations & Risks

Security Benefits

Risks & Mitigation

11. Best Practices & Recommendations

12. When to Use SMTP AUTH Relay

13. Conclusion

Was this article helpful?